Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw

A group of researchers released a paper today that describes a new class of serious vulnerabilities in PGP (including GPG), the most popular email encryption standard. The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim’s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim. The proof of concept is only one implementation of this new type of attack, and variants may follow in the coming days.

TWITTER URGES USERS TO CHANGE PASSWORDS DUE TO GLITCH

Twitter said Thursday that a glitch caused account passwords to be stored in plain text on an internal log, sending users across the platform scrambling to change their passwords.

The social media company said that it found and has fixed the glitch, and its investigation shows no indication of a breach or misuse by anyone. While the company did not specify how many passwords were impacted, a Reuters report pegged the number at more than 330 million.

“I’d emphasize that this is not a leak and our investigation has shown no signs of misuse,” a Twitter spokesperson told Threatpost. “We’re sharing this information so everyone can make an informed decision on the security of their account.

Meltdown and Spectre, two security flaws said to be affecting almost all CPUs released since 1995, was announced this week, and will probably haunt us for years to come.

Exploit code used in the Mirai malware variant called Satori, which was used to attack hundreds of thousands of Huawei routers over the past several weeks, is now public. We might see more of this in near future botnets.

December 15, 2017/in IT security, SIRT/by Raymond AarsethcloseAuthor: Raymond AarsethName: Raymond AarsethEmail: raymond.aarseth@basefarm.comSite:About: Working as an Operation Technician in Basefarm, and is part of the the Security Incident Response Team. I have a masters degree in information security from the University of Bergen, with a focus in security in virtual environments and cloud computing.See Authors Posts (2)

This weeks top stories begins with the ROBOT attack, a bug in the implementation of RSA key exchange for products using PKCS #1 v1.5. This includes SSL\TLS if RSA is used for for exchanging keys. The bug can let an adversary decrypt traffic and even sign messages with someones else private key. The vulnerable products include F5, Citrix, and Cisco and many vendors has released patches.

A database containing over 1.4 Billion clear text passwords was discovered by security firm 4iQ while looking for passwords on the “dark web”. The full database contains over 41GB of cleartext passwords and user-names aggreated from previos leaks from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in.

Security researcher ZwClose discovered that a lot of HP models comes pre-installed with a keylogger that could be used to spy on user by malware or hackers. The kyelogger is disabled by default, but can be turned on by making changes to the registry in windows machines. Since this is built into the drivers by HP, this keylogger can be turned on bypassing User Account Control (UAC). HP has released a Driver update for all the affected HP Notebook Models.

Tennable released Nessus Professional v7, removing API and multi-user support. These two components are looked to as essential by many security professionals and is met with criticism in the security community. But it gets even worse. When notifying its user about the new version, they added all users to a support-forum that sent out as much as 150 emails a minute for over an hour, effectively creating a spam-storm for all its users.

A new attack-framework “TRITON” is targeting Industrial Control Systems (ICS)and caused operational disruption to critical infrastructure according to Mandiant. This looks to be Nation-state sponsored attack, and could lead to physical damage of critical systems producing gas, power and other national critical infrastructure.

December 8, 2017/in IT security, SIRT/by Raymond AarsethcloseAuthor: Raymond AarsethName: Raymond AarsethEmail: raymond.aarseth@basefarm.comSite:About: Working as an Operation Technician in Basefarm, and is part of the the Security Incident Response Team. I have a masters degree in information security from the University of Bergen, with a focus in security in virtual environments and cloud computing.See Authors Posts (2)

This weeks top stories is that Microsoft Issues Emergency Windows Security Update For A Critical Vulnerability that could lead to remote code execution in Microsoft’s own Malware Protection Engine. CVE-2017-11937 uses a memory corruption bug that lets a specially crafted file run code on on the machine. This is an out of band security update coming out just days before they issue their December Patch Tuesday update, and Microsoft is advising to install this patch as soon as possible.

Bugs in over 30 mail clients found letting a phisher craft perfectly spoofed emails, defeating DMARC, Sender Policy Framework(SPF) and Domain Keys Identified Mail (DKIM) showing the mail as legit in the client. This collection of bugs has been named “Mailsploit” by the researcher that discovered it, and a list of vulnerable devices can be found here.

Two researchers from enSilo described a new code injection technique called “Process Doppelgänging” at blackhat 2017. This new attack works on all Windows versions and researchers say it bypasses most of today’s major security products. This is a file-less attack and it is impossible to patch since it exploits core designs of Microsoft process loading mechanism. The good news is that its a very technically challenging exploit to run.

I wanted to share with you the latest trends of spam and\or malware I see coming in to Basefarm this last week. Thanks to everyone who is spamming me making this possible. 🙂

The latest trend is sending a mail with very little detail, complaining about a delay in shipping, lacking tracking information, anything really. And then attaching a .doc file with a simple name like “order-confirmation.doc” or “invoice.doc”.

We, as good people, want people to be happy with our service, so we get a little worried that there has been something we have missed and rush to open the .doc-file to see how we can correct this misunderstanding. The .doc file is loaded with a bunch of macros, and upon opening it downloads whatever malware recently paid the last bid to the spammer. Mostly I have seen botnet installs, and no more crypto-software so far, but this can be changed on the fly by the malware authors.

The purpose of the botnet-infection is the traditional proxying of malicious mail or web traffic, participating in DDOS or to the more modern mining of crypto currency. Also have in mind that it is not uncommon for them to exfiltrate any address books, stored passwords and passwords typed during the infection.

Unfortunately, having an up-to-date antivirus is not enough these days, so to keep yourself from enjoying a borrowed computer from Internal-IT while yours is getting reinstalled and you changing all the passwords you have in fear it might be captured, slow down and think about what files you are opening. Being more security aware is the best solution to this challenge.

As always, if you are not sure about something, talk to your closest internal-IT or SIRT person about your concerns. It is much easier to handle this while it is still in your inbox.